[RESOLVED] Apostrophe problem

robkir

My ISP upgraded to PHP 5.3 and I am finding that apostrophe's are once again a problem. Am I missing something on this code?

    if($_POST['inputMsg']) {
      echo "<p class='greenHead'>&bull; You posted the following message on the home page of the Requestor</p>";
      echo "<textarea rows='12' cols='80'>".htmlentities($_POST['inputMsg'], ENT_QUOTES)."</textarea>";

$sql = "UPDATE vq_info SET
          publicMsg='".mysqli_real_escape_string($cxn, $_POST['inputMsg'])."'";
            mysqli_query($cxn, $sql) or die ("Error in query l215:" . mysqli_error($cxn));

}

$query ="SELECT publicMsg 
          FROM vq_info";
            $result = mysqli_query($cxn, $query) or die ('Error ' . mysqli_error($cxn));
                $row = mysqli_fetch_assoc($result);


echo "<p class='brownHead'>&bull; Enter Your Revised Message Below. Click on 'Go Live' when done.</p>
<form method='post'>
  <textarea rows='12' cols='80' name='inputMsg' value='".$row['publicMsg']."'>".htmlentities($row['publicMsg'],       ENT_QUOTES) ."</textarea>
  <input type='submit' name='saveMsg' value='GO LIVE'>
</form>";

Thanks,
robkir

bradgrafelman

Well for one, <textarea> elements don't have a "value" attribute, so that's a bit of invalid HTML.

Other than that, can you be a bit more descriptive than "a problem" ?

robkir

bradgrafelman;11033487 wrote:
Well for one, <textarea> elements don't have a "value" attribute, so that's a bit of invalid HTML.

I rarely use textarea... but I should have known better.

<textarea rows='12' cols='80' name='inputMsg'>".htmlentities($row['publicMsg'], ENT_QUOTES) ."</textarea>
  <input type='submit' name='saveMsg' value='GO LIVE'>

Other than that, can you be a bit more descriptive than "a problem" ?

This is what happens when one stays up half the night frantically coding and then tries to think straight the next morning...I left the problem out...Jeeze.

The problem is that this code inserts a slash when an apostrophe is inserted into field (\').

thanks,
robkir

laserlight

It sounds like your php.ini was changed during the update such that, somehow, magic_quotes_gpc was set to on. If so, edit the configuration file to turn it back off.

bradgrafelman

... and chastise whoever enabled it in the first place (especially after upgrading to the minor release where it was deprecated... which is one minor release away from where it was removed altogether). 🙂

robkir

laserlight;11033491 wrote:
It sounds like your php.ini was changed during the update such that, somehow, magic_quotes_gpc was set to on. If so, edit the configuration file to turn it back off.

My ISP did indeed just upgrade. I checked the phpinfo and sure enough, magic_quotes_gpc is ON. Now...if I can just convince them to turn it off.

Thanks!

robkir

NogDog

robkir;11033495 wrote:
My ISP did indeed just upgrade. I checked the phpinfo and sure enough, magic_quotes_gpc is ON. Now...if I can just convince them to turn it off.

Thanks!

robkir

Depending on your particular hosting service/plan, you may be able to override it locally via either a local php.ini file or a .htaccess file. If, for some sad reason, that's not possible, I came up with this kludge a few years ago.

robkir

NogDog;11033499 wrote:
you may be able to override it locally via either a local php.ini file or a .htaccess file.

The hosting company is not willing to turn off the the magic quotes, they suggested putting "php_flag magic_quotes_gpc off " into an .htaccess file. I tried it. It didn't work with the example in my earlier post.

My .htaccess file currently says:

-FrontPage-

IndexIgnore .htaccess /.?? ~ # /HEADER /README /_vti
Options -Indexes
php_flag magic_quotes_gpc off

Do I have it set up right? Does it go in the root directory, or should I stick it in every directory (you can tell I am up on my .htaccess knowledge).

Here's another point I am confused about. When this first happened I constructed a test module to isolate the problem. Even though magic quotes was on it did not add in the slash before the apostrophe.

if(!empty ($_POST['testLine'])) 
  {

$query = "UPDATE test SET
  testLine='".mysqli_real_escape_string($cxn, $_POST['testLine'])."' 
LIMIT 1";
  mysqli_query($cxn, $query) or die ("Error in query l215: $query");
  }

$query ="SELECT testLine 
    FROM test";
     	$result = mysqli_query($cxn, $query) or die ('Error ' . mysqli_error($cxn));
        $row = mysqli_fetch_assoc($result);

// Pull value from SQL
echo "Test Value is " . $row['testLine'];
$testLine = $row['testLine']; 

// enter a string with an apostrophe and see what happens.
echo "<form method='post'>
Enter test line: <input type='text' name='testLine' value='".htmlentities($testLine, ENT_QUOTES)."'>$testLine
<input type='submit' value='SAVE'>
</form>";

NogDog, thanks for the lead on the 'kludge'. I may end up there, but first want to see if I can get the .htaccess to work.

robkir

UPDATE I got the .htaccess fix to work!

Thanks for the advice. If you have any other thoughts, please let me know.

robkir.

bradgrafelman

robkir;11033515 wrote:
It didn't work with the example in my earlier post.

The real test is to see if it actually affected the PHP directive. Did you do a phpinfo() and see if the "Local" value for magic_quotes_gpc was changed to "Off" after the .htaccess modification?

robkir;11033515 wrote:
Do I have it set up right?

It would appear to be correct to me, yes. Relevant PHP manual page would be: [man]configuration.changes[/man].

robkir;11033515 wrote:
Does it go in the root directory, or should I stick it in every directory (you can tell I am up on my .htaccess knowledge).

An .htacces file in a given folder will apply to all subfolders (but potentially overridden by any .htaccess files in those subfolders). So yes, just one in the root of your site should work.

robkir;11033515 wrote:
Here's another point I am confused about. When this first happened I constructed a test module to isolate the problem. Even though magic quotes was on it did not add in the slash before the apostrophe.

Simplest test would be to simply dump the contents of $_POST. If you see backslashes before single quotes, that's a good sign that magic_quotes_gpc is enabled.

EDIT2: Looks like I took too long to type this reply. 🙂

robkir

Did you do a phpinfo() and see if the "Local" value for magic_quotes_gpc was changed to "Off" after the .htaccess modification

It is Off -- looks like we were successful.

I still have a few more issues to clean up after the upgrade, but it looks like most of the problems are under control. Thanks again.

robkir

bradgrafelman

Out of curiosity... did your hosting company give you any heads-up as far as the upgrade?

In theory, a reasonably-sensible host would do two things: 1) provide advance notice of any and all "upgrades" or system-wide changes, and 2) provide a development/test environment with which you could use as a sandbox to test your application(s) in the soon-to-be-production environment. One thing I've done before is take a snapshot of the phpinfo() readout on one server and compare it to said development/test server to spot any new defaults the host might be trying to sneak in on me.

robkir

Out of curiosity... did your hosting company give you any heads-up as far as the upgrade?

They did not give any notice that I could find. They have a 'news' page, but it usually behind in news. To their credit, they did try to help me solve the problem, but it wasn't until I mentioned the magic quotes that they chimed in with the .htaccess fix. Fortunately this problem occurred early in the week. Most of my programs are used over the weekend and, although not the end of the world, really inconvenient when anything interferes.

Thanks for the tip on taking a snapshot of the phpini() results.

laserlight

robkir wrote:
The hosting company is not willing to turn off the the magic quotes, they suggested putting "php_flag magic_quotes_gpc off " into an .htaccess file.

Did you emphasize that the previous setting was off and changed unceremoniously during the upgrade, and that the feature (or shall we say bug?) has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0?

robkir

laserlight;11033529 wrote:
Did you emphasize that the previous setting was off and changed unceremoniously during the upgrade, and that the feature (or shall we say bug?) has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0?

I will let them know...what they do with that info is predictable (as in probably nothing). There's always something to make the day-to-day interesting.

robkir.

dalecosp

laserlight;11033529 wrote:
Did you emphasize that the previous setting was off and changed unceremoniously during the upgrade, and that the feature (or shall we say bug?) has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0?

Good point, although there's always a chance that if they find someone who cares that much about it they sic the sales department bulldogs on 'em for a dedicated package 😉

robkir

UPDATE --
The answer to the original question was to modify the htaccess file (and give the ISP a swift kick for poor judgement in leaving php_flag magic_quotes_gpc on). Weeks after I made the htacess file changes, I noticed that apostrophes were once again being escaped. The htaccess fix was no longer working!!! Bummer!!!! The ISP claimed they hadn't changed anything but I persisted and they sleeplessly admitted that there was a problem on their end. Hopefully...this won't happen to you.